Running an instance of Security Onion, that originally started as the 14.05 version, but has been getting updates throught “sudo soup”. After running several months, I started to only have PCAPs for a couple of days, then only for 2 days, then for only the current day, then only for a short period before current time.
Issue was that the underlying filesystem was filling up, and it was filling up with Elasticsearch “indices” files. You can’t really just delete the files, but rather you do it through “curl” commands.
To list all of the indeces, just run the following code
curl -s localhost:9200/_cat/indices
And then to see only those that are closed, simply pipe that to grep and search for closed
curl -s localhost:9200/_cat/indices | grep close
Then to delete the files, simply pass along the XDELETE command
curl -XDELETE localhost:9200/logstash-syslog-2018*
Note that you can use wildcards to delete the indexes, but I found the ? did not work, but the * did.